Authority Service, Chrome v80+ and SameSite

References

https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html
https://web.dev/samesite-cookies-explained
https://www.zdnet.com/article/apple-blocks-third-party-cookies-in-safari/
Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core - https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
https://docs.microsoft.com/en-gb/dotnet/core/compatibility/3.0-3.1

Background

Google Chrome and Chromium started with v80 to introduce a breaking change in how SameSite cookies are handled. The OpenID Connect protocol needs SameSite=None (and thereby also IdentityServer4 and Authority). This breaking change in behavior has been announced for quite some time and is considered important since it improves security and privacy.
It is expected that other browser also will follow and make this mandatory.

Official solution - configure HTTPS

We’ve verified that Authority v2.0.4 is compliant with the SameSite changed outlined above.
However, since SameSite=None also requires a secure protocol, Authority has to be configured with HTTPS when communicating with the browser in order to be compliant.
If you are usin Ayfie Supervisor, configuring it to use HTTPS requires additional steps, as outlined in ayfie SSL and HTTPS Configuration

Tested with Supervisor and Authority

When enabling HTTPS in both Authority and Supervisor, we’ve tested that logon works with Chrome v80.

Workaround

It is possible to change the Chrome v80 browser setting to not require a secure protocol.
This defeats the purpose of the change, but might be something to temporarily mitigate the situation until HTTPS in enabled across the line.

Steps

In the address bar, enter chrome://flags/.
Search flag Cookies without SameSite must be secure.
Change the flag from Default to Disabled.
Restart browser.
Then it works!